Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Identifiers to Authorization & Order structs #7961

Open
wants to merge 32 commits into
base: main
Choose a base branch
from
Open

Add Identifiers to Authorization & Order structs #7961

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
32 commits
Select commit Hold shift + click to select a range
e8ebb38
Add Identifiers to Authorization & Order structs
jprenken Jan 21, 2025
a133fb2
Add TODOs, clarify others, found existing NormalizeIdentifiers
jprenken Jan 21, 2025
9e34394
Merge branch 'main' of github.com:letsencrypt/boulder into pb-identif…
jprenken Jan 21, 2025
92b5df2
Use identifiers in policy functions & part of wfe NewOrder
jprenken Jan 22, 2025
807f44a
Merge branch 'main' of github.com:letsencrypt/boulder into pb-identif…
jprenken Jan 22, 2025
8bddab2
Change HashNames to HashIdentifiers, fix more errors, drink more Glurp
jprenken Jan 22, 2025
9307f39
Use 'idents' var name instead of 'identifiers' to reduce confusion wi…
jprenken Jan 22, 2025
66bddc4
Use identifiers in RequestEvent, add convenience funcs to identifier pkg
jprenken Jan 23, 2025
f56c456
Merge branch 'main' of github.com:letsencrypt/boulder into pb-identif…
jprenken Jan 23, 2025
98538f4
Use identifiers in ra.NewOrder, fix test typo, move AsProto calls to …
jprenken Jan 23, 2025
ed7e503
Change some SA model & test functions to use identifiers
jprenken Jan 23, 2025
3b659a6
Change ra.certificateRequestEvent & test functions to use identifiers
jprenken Jan 23, 2025
95e473d
Fix more TODOs in cert-checker, tests & mocks
jprenken Jan 23, 2025
a792197
Add helper funcs, with tests, to handle both idents & names
jprenken Jan 24, 2025
008498a
Add empty/nil test cases
jprenken Jan 24, 2025
5c1845b
Merge branch 'main' of github.com:letsencrypt/boulder into pb-identif…
jprenken Jan 24, 2025
1bcd9fc
Use identifiers throughout integration tests
jprenken Jan 24, 2025
013206b
Consistent nil/empty handling
jprenken Jan 24, 2025
4f4905c
Simplify helper funcs; their callers won't use names
jprenken Jan 24, 2025
b5840da
Remove singular helper func, not useful because of defers; use helper…
jprenken Jan 24, 2025
9e70389
Actually remove singular helper func, and it's because of derefs, not…
jprenken Jan 24, 2025
e2a3082
Merge branch 'main' of github.com:letsencrypt/boulder into pb-identif…
jprenken Jan 25, 2025
4f9700a
Identifier-ize new code from main
jprenken Jan 25, 2025
9e3c10f
Plumb identifiers through RA
jprenken Jan 25, 2025
8bbe0f3
Plumb identifiers through grpc & sa
jprenken Jan 25, 2025
d0b7523
Remove stale TODOs
jprenken Jan 25, 2025
b368e44
Fix missed reference in SA (don't worry, there are still more failures)
jprenken Jan 25, 2025
f8844d3
Fix last tests!
jprenken Jan 26, 2025
16a2c10
Merge branch 'main' of github.com:letsencrypt/boulder into pb-identif…
jprenken Jan 26, 2025
d4c07a5
Merge branch 'main' of github.com:letsencrypt/boulder into pb-identif…
jprenken Jan 27, 2025
79bb748
Merge branch 'main' of github.com:letsencrypt/boulder into pb-identif…
jprenken Jan 27, 2025
b65c35a
Merge branch 'main' of github.com:letsencrypt/boulder into pb-identif…
jprenken Jan 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 10 additions & 9 deletions cmd/cert-checker/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ import (
"github.com/letsencrypt/boulder/features"
"github.com/letsencrypt/boulder/goodkey"
"github.com/letsencrypt/boulder/goodkey/sagoodkey"
"github.com/letsencrypt/boulder/identifier"
_ "github.com/letsencrypt/boulder/linter"
blog "github.com/letsencrypt/boulder/log"
"github.com/letsencrypt/boulder/policy"
Expand Down Expand Up @@ -298,8 +299,8 @@ var expectedExtensionContent = map[string][]byte{
// likely valid at the time the certificate was issued. Authorizations with
// status = "deactivated" are counted for this, so long as their validatedAt
// is before the issuance and expiration is after.
func (c *certChecker) checkValidations(ctx context.Context, cert core.Certificate, dnsNames []string) error {
authzs, err := sa.SelectAuthzsMatchingIssuance(ctx, c.dbMap, cert.RegistrationID, cert.Issued, dnsNames)
func (c *certChecker) checkValidations(ctx context.Context, cert core.Certificate, idents []identifier.ACMEIdentifier) error {
authzs, err := sa.SelectAuthzsMatchingIssuance(ctx, c.dbMap, cert.RegistrationID, cert.Issued, idents)
if err != nil {
return fmt.Errorf("error checking authzs for certificate %s: %w", cert.Serial, err)
}
Expand All @@ -310,16 +311,16 @@ func (c *certChecker) checkValidations(ctx context.Context, cert core.Certificat

// We may get multiple authorizations for the same name, but that's okay.
// Any authorization for a given name is sufficient.
nameToAuthz := make(map[string]*corepb.Authorization)
identToAuthz := make(map[string]*corepb.Authorization)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Identifiers are comparable: they only have two fields, both of which are concrete strings. You should be able to use them directly as map keys, rather than collapsing them into just their values.

for _, m := range authzs {
nameToAuthz[m.DnsName] = m
identToAuthz[m.Identifier.Value] = m
}

var errors []error
for _, name := range dnsNames {
_, ok := nameToAuthz[name]
for _, ident := range idents {
_, ok := identToAuthz[ident.Value]
if !ok {
errors = append(errors, fmt.Errorf("missing authz for %q", name))
errors = append(errors, fmt.Errorf("missing authz for %q", ident))
continue
}
}
Expand Down Expand Up @@ -406,7 +407,7 @@ func (c *certChecker) checkCert(ctx context.Context, cert core.Certificate, igno
// We do not check the CommonName here, as (if it exists) we already checked
// that it is identical to one of the DNSNames in the SAN.
for _, name := range parsedCert.DNSNames {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note that we'll need to iterate over parsedCert.IPAddresses as well. Not in this PR, but maybe you want to leave a TODO here because it would be easy to miss.

err = c.pa.WillingToIssue([]string{name})
err = c.pa.WillingToIssue([]identifier.ACMEIdentifier{identifier.NewDNS(name)})
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should be able to use your new identifier.SliceNewDNS here too.

if err != nil {
problems = append(problems, fmt.Sprintf("Policy Authority isn't willing to issue for '%s': %s", name, err))
} else {
Expand Down Expand Up @@ -469,7 +470,7 @@ func (c *certChecker) checkCert(ctx context.Context, cert core.Certificate, igno
}

if features.Get().CertCheckerChecksValidations {
err = c.checkValidations(ctx, cert, parsedCert.DNSNames)
err = c.checkValidations(ctx, cert, identifier.SliceNewDNS(parsedCert.DNSNames))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe also leave a TODO for processing .IPAddresses here.

if err != nil {
if features.Get().CertCheckerRequiresValidations {
problems = append(problems, err.Error())
Expand Down
3 changes: 2 additions & 1 deletion cmd/expiration-mailer/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ import (
"github.com/letsencrypt/boulder/db"
"github.com/letsencrypt/boulder/features"
bgrpc "github.com/letsencrypt/boulder/grpc"
"github.com/letsencrypt/boulder/identifier"
blog "github.com/letsencrypt/boulder/log"
bmail "github.com/letsencrypt/boulder/mail"
"github.com/letsencrypt/boulder/metrics"
Expand Down Expand Up @@ -310,7 +311,7 @@ func (m *mailer) updateLastNagTimestampsChunk(ctx context.Context, certs []*x509
}

func (m *mailer) certIsRenewed(ctx context.Context, names []string, issued time.Time) (bool, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that this function should take a slice of identifiers instead of a slice of names.

namehash := core.HashNames(names)
namehash := core.HashIdentifiers(identifier.SliceNewDNS(names))

var present bool
err := m.dbMap.SelectOne(
Expand Down
9 changes: 5 additions & 4 deletions cmd/expiration-mailer/main_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import (
corepb "github.com/letsencrypt/boulder/core/proto"
"github.com/letsencrypt/boulder/db"
berrors "github.com/letsencrypt/boulder/errors"
"github.com/letsencrypt/boulder/identifier"
blog "github.com/letsencrypt/boulder/log"
bmail "github.com/letsencrypt/boulder/mail"
"github.com/letsencrypt/boulder/metrics"
Expand Down Expand Up @@ -353,7 +354,7 @@ func TestNoContactCertIsRenewed(t *testing.T) {
setupDBMap, err := sa.DBMapForTest(vars.DBConnSAFullPerms)
test.AssertNotError(t, err, "setting up DB")
err = setupDBMap.Insert(ctx, &core.FQDNSet{
SetHash: core.HashNames(names),
SetHash: core.HashIdentifiers(identifier.SliceNewDNS(names)),
Serial: core.SerialToString(serial2),
Issued: testCtx.fc.Now().Add(time.Hour),
Expires: expires.Add(time.Hour),
Expand Down Expand Up @@ -570,13 +571,13 @@ func addExpiringCerts(t *testing.T, ctx *testCtx) []certDERWithRegID {
test.AssertNotError(t, err, "creating cert D")

fqdnStatusD := &core.FQDNSet{
SetHash: core.HashNames(certDNames),
SetHash: core.HashIdentifiers(identifier.SliceNewDNS(certDNames)),
Serial: serial4String,
Issued: ctx.fc.Now().AddDate(0, 0, -87),
Expires: ctx.fc.Now().AddDate(0, 0, 3),
}
fqdnStatusDRenewed := &core.FQDNSet{
SetHash: core.HashNames(certDNames),
SetHash: core.HashIdentifiers(identifier.SliceNewDNS(certDNames)),
Serial: serial5String,
Issued: ctx.fc.Now().AddDate(0, 0, -3),
Expires: ctx.fc.Now().AddDate(0, 0, 87),
Expand Down Expand Up @@ -737,7 +738,7 @@ func TestCertIsRenewed(t *testing.T) {
t.Fatal(err)
}
fqdnStatus := &core.FQDNSet{
SetHash: core.HashNames(testData.DNS),
SetHash: core.HashIdentifiers(identifier.SliceNewDNS(testData.DNS)),
Serial: testData.stringSerial,
Issued: testData.NotBefore,
Expires: testData.NotAfter,
Expand Down
3 changes: 2 additions & 1 deletion cmd/reversed-hostname-checker/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
"os"

"github.com/letsencrypt/boulder/cmd"
"github.com/letsencrypt/boulder/identifier"
"github.com/letsencrypt/boulder/policy"
"github.com/letsencrypt/boulder/sa"
)
Expand Down Expand Up @@ -50,7 +51,7 @@ func main() {
var errors bool
for scanner.Scan() {
n := sa.ReverseName(scanner.Text())
err := pa.WillingToIssue([]string{n})
err := pa.WillingToIssue([]identifier.ACMEIdentifier{identifier.NewDNS(n)})
if err != nil {
errors = true
fmt.Printf("%s: %s\n", n, err)
Expand Down
2 changes: 1 addition & 1 deletion core/interfaces.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import (
// PolicyAuthority defines the public interface for the Boulder PA
// TODO(#5891): Move this interface to a more appropriate location.
type PolicyAuthority interface {
WillingToIssue([]string) error
WillingToIssue([]identifier.ACMEIdentifier) error
ChallengeTypesFor(identifier.ACMEIdentifier) ([]AcmeChallenge, error)
ChallengeTypeEnabled(AcmeChallenge) bool
CheckAuthzChallenges(*Authorization) error
Expand Down
Loading
Loading